Risk management is a process that is run by (or on behalf of) a specific party for the purpose of managing the risks that it owns (thereby realizing specific risk objectives). The overall risk objective that parties seek to manage is to ensure that the set of all risks that they perceive to run are, as a whole, acceptable.
For various purposes, a party may decide to run multiple risk management processes. For example, it may run one process for managing the risks related to quality, or information security, or environmental issues. This allows a party to design, maintain and realize risk objectives that are tailored to such topics. Also, a party may run different risk management processes (perhaps with the same risk objectives) for different parts of its scope of control. However, a party should ensure that the combination of these processes result in its overall risk management to be complete, coherent and consistent.
For the risk management of a party to be complete, it must (explicitly or implicitly) define and maintain a set of risk objectives, such that when every of these objectives has been realized, the remaining (residual) risks (associated with the set of all objectives owned by this party) is, as a whole, acceptable. One risk objective of a party was mentioned in the previous paragraph (i.e. that the overall risk management should be complete, coherent and consistent"). Other well-known objectives are that risk management should be certifiable against some standard, e.g. ISO 9001 for quality, ISO 27001 for information security, or ISO 14001 for environmental risks.
For the risk management of a party to be coherent, any risk management process that it runs (or has outsourced) will only take risks into account for objectives that are owned by that party. This can easily be explained by observing that both the objectives and (associated) risks should be managed within the context of a single knowledge, being that of their owner. Also, given that parties are autonomous, they can only manage what is their own scope of control.
- a change in risk level of an existing objective;
- an objective that is being added to, modified within, or deleted from the set of objectives whose associated risks the process manages;
- a change in the set of risk objectives that the process pursues.
We distinguish between the following kinds of risk-management:
- centralized risk-management, which is a kind of risk management that assumes that the party that runs it has the power or right to give orders, make decisions that other parties must follow, and enforce obedience, which can be applied to mitigate its risks. This kind of risk-management ignores the natural autonomy of other parties, and hence may have consequences that the party cannot control.
- decentralized or networked risk-management, which is a kind of risk management that assumes that the party that runs it acknowledges the autonomy of other parties to determine their own objectives and manage the associated risks as they see fit. This implies that this party will communicate with these other parties about their mutual expectations, and find ways that help each other to manage their individual, subjective risks.
The purpose of a Risk Management process (that is run by, or on behalf of, some party), is to manage the risks that it owns within its scope of control. This may entail helping its stakeholders, i.e. the parties that either produce or consume the results of objectives that this party owns, to manage their risks as well.
A Risk Management (process) is a set of related activities that a party runs for the purpose of realizing a set of risk objectives that it owns, where the realization of these risk objectives ensure that (a specific subset of) the set of all objectives that the party owns come with associated risks that, on the whole, this party finds acceptable.